Date: Fri, 10 May 2002 05:35:11 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: <freebsd-security@freebsd.org> Subject: Re: Allowing FTP Through *My* IPFW Firewall Message-ID: <003f01c1f81f$208dc0c0$0301a8c0@bigdaddy> References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> <006601c1f81a$711452c0$fe00a8c0@insomnia>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Nils Nordell" <nordnils@mtek.chalmers.se> Sent: Friday, May 10, 2002 5:01 AM > Are you running natd on the machine with the ADSL modem? > Then you could use the option "punch_fw" in /etc/natd.conf. > Punch_fw creates temporary firewall rules allowing ftp and irc > without trouble on the machines behind the firewall. No. The 3Com ADSL Modem/Router is not a FBSD box nor is it even a PC. It's a special purpose device running a proprietary OS, kind of like a LinkSys, Netgear, or DLink router with a ADSL modem built in. Thanks for your response! Drew > / Nils > ----- Original Message ----- > From: "Drew Tomlinson" <drew@mykitchentable.net> > To: <security@freebsd.org> > Sent: Thursday, May 09, 2002 7:48 PM > Subject: Allowing FTP Through *My* IPFW Firewall > > > > I'm trying to figure out what rule I need to add or change to allow ftp > > sessions to pass through my ipfw firewall. I have search the archives > > but the only conclusions I have found is that this is a difficult task > > because of the nature of ftp. I'm hoping someone can help me with my > > specific situation. > > > > Here is how my home network is configured: > > > > ISP > > | > > | Public DHCP address > > | > > 3Com ADSL Modem/Router > > (Router performs NAT and passes packets to 10.2 by default) > > | (192.168.10.1) > > | > > | > > | (ed1 192.168.10.2) > > FBSD Gateway > > | (ed0 192.168.1.2) > > | > > | > > Internal LAN > > > > > > These are my current firewall rules: > > > > blacksheep# ipfw list > > 00100 allow ip from any to any via lo0 > > 00200 deny log ip from any to 127.0.0.0/8 > > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > > 00500 check-state > > 00600 allow tcp from 192.168.1.0/24 > > 21,22,25,80,143,389,443,993,5405,10001 to any established > > 00700 allow tcp from any to 192.168.1.0/24 > > 21,22,25,80,143,389,443,993,5405,10001 > > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established > > 00900 allow tcp from any to 192.168.10.2 21,22,8021 > > 01000 allow icmp from any to any icmptype 3,4,11,12 > > 01100 allow icmp from any to any out icmptype 8 > > 01200 allow icmp from any to any in icmptype 0 > > 01300 reset log tcp from any to any 113 > > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > > 01900 allow udp from 192.168.10.1 to any > > 02000 allow udp from any to 192.168.10.1 > > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 > > 65500 deny log ip from any to any > > > > An FTP client on the outside can establish as session and login through > > the firewall but fails when the first data transfer (listing the remote > > directory) begins. Here is a sample entry from my security log: > > > > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP > > 207.173.226.108:2191 192.168.1.4:49172 in via ed1 > > > > Any help would be appreciated. > > > > Thanks, > > > > Drew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003f01c1f81f$208dc0c0$0301a8c0>